From db85e9fff3a8d0a58d8953768c2b2f6a5b7c0d2a Mon Sep 17 00:00:00 2001 From: lvyuanyuan Date: Tue, 2 Apr 2024 10:23:07 +0800 Subject: [PATCH] add afs fuzz test Signed-off-by: lvyuanyuan Change-Id: I145e9546d64d71333e4f6b2d92147ba0ac02931b --- test/fuzztest/BUILD.gn | 1 + test/fuzztest/backupsaanother_fuzzer/BUILD.gn | 61 ++++ .../backupsaanother_fuzzer.cpp | 314 ++++++++++++++++++ .../backupsaanother_fuzzer.h | 21 ++ .../backupsaanother_fuzzer/corpus/init | 16 + .../backupsaanother_fuzzer/project.xml | 25 ++ 6 files changed, 438 insertions(+) create mode 100644 test/fuzztest/backupsaanother_fuzzer/BUILD.gn create mode 100644 test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.cpp create mode 100644 test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.h create mode 100644 test/fuzztest/backupsaanother_fuzzer/corpus/init create mode 100644 test/fuzztest/backupsaanother_fuzzer/project.xml diff --git a/test/fuzztest/BUILD.gn b/test/fuzztest/BUILD.gn index 49bed1ad8..f8e418ac1 100644 --- a/test/fuzztest/BUILD.gn +++ b/test/fuzztest/BUILD.gn @@ -18,6 +18,7 @@ group("fuzztest") { # deps file "backupext_fuzzer:BackupExtFuzzTest", "backupsa_fuzzer:BackupSaFuzzTest", + "backupsaanother_fuzzer:BackupSaAnotherFuzzTest", "backupsaappend_fuzzer:BackupSaAppendFuzzTest", "fileshare_fuzzer:FileShareFuzzTest", "remotefileshare_fuzzer:RemoteFileShareFuzzTest", diff --git a/test/fuzztest/backupsaanother_fuzzer/BUILD.gn b/test/fuzztest/backupsaanother_fuzzer/BUILD.gn new file mode 100644 index 000000000..6be1e4d5c --- /dev/null +++ b/test/fuzztest/backupsaanother_fuzzer/BUILD.gn @@ -0,0 +1,61 @@ +# Copyright (c) 2024 Huawei Device Co., Ltd. +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#####################hydra-fuzz################### +import("//build/config/features.gni") +import("//build/test.gni") +import("//foundation/filemanagement/app_file_service/app_file_service.gni") +import("//foundation/filemanagement/app_file_service/backup.gni") + +##############################fuzztest########################################## +ohos_fuzztest("BackupSaAnotherFuzzTest") { + module_out_path = "app_file_service/app_file_service" + fuzz_config_file = + "${app_file_service_path}/test/fuzztest/backupsaanother_fuzzer" + include_dirs = [ + "${app_file_service_path}/services/backup_sa/include/module_ipc", + "${app_file_service_path}/services/backup_sa/include", + "${app_file_service_path}/interfaces/inner_api/native/backup_kit_inner/impl", + "${app_file_service_path}/frameworks/native/backup_kit_inner/include", + ] + cflags = [ + "-g", + "-O0", + "-Wno-unused-variable", + "-fno-omit-frame-pointer", + ] + sources = [ "backupsaanother_fuzzer.cpp" ] + + deps = [ + "${app_file_service_path}/services/backup_sa:backup_sa", + "${path_backup}/interfaces/inner_api/native/backup_kit_inner:backup_kit_inner", + "${path_backup}/utils:backup_utils", + "${third_party_path}/bounds_checking_function:libsec_shared", + ] + + external_deps = [ + "ability_runtime:ability_manager", + "ability_runtime:abilitykit_native", + "c_utils:utils", + "file_api:filemgmt_libn", + "hilog:libhilog", + "ipc:ipc_core", + "safwk:system_ability_fwk", + ] + + defines = [ + "LOG_TAG=\"app_file_service\"", + "LOG_DOMAIN=0xD200000", + ] +} +############################################################################### diff --git a/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.cpp b/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.cpp new file mode 100644 index 000000000..e6d9902ac --- /dev/null +++ b/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.cpp @@ -0,0 +1,314 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "backupsaanother_fuzzer.h" + +#include +#include +#include +#include +#include + +#include "message_parcel.h" +#include "service.h" +#include "service_proxy.h" +#include "service_reverse.h" +#include "service_stub.h" +#include "securec.h" +#include "system_ability.h" + +using namespace std; +using namespace OHOS::FileManagement::Backup; + +namespace OHOS { +constexpr int32_t SERVICE_ID = 5203; + +bool CmdGetFileHandleFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + int pos = (size + 1) >> 1; + if (size > 0) { + datas.WriteString(string(reinterpret_cast(data), pos)); + } + + if (size > 1) { + datas.WriteString(string(reinterpret_cast(data + pos), size - pos)); + } + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + service->OnRemoteRequest(static_cast(IServiceInterfaceCode::SERVICE_CMD_GET_FILE_NAME), + datas, reply, option); + service = nullptr; + return true; +} + +bool CmdAppendBundlesBackupSessionFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + if (size > 0) { + vector bundleNames; + for (size_t i = 0; i < size; i++) { + string name = string(reinterpret_cast(data), size) + to_string(i); + bundleNames.push_back(name); + } + datas.WriteStringVector(bundleNames); + } + + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + uint32_t code = static_cast(IServiceInterfaceCode::SERVICE_CMD_APPEND_BUNDLES_BACKUP_SESSION); + service->OnRemoteRequest(code, datas, reply, option); + service = nullptr; + return true; +} + +bool CmdReleaseFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + datas.WriteBuffer(data, size); + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + uint32_t code = static_cast(IServiceInterfaceCode::SERVICE_CMD_RELSEASE_SESSION); + service->OnRemoteRequest(code, datas, reply, option); + service = nullptr; + return true; +} + +void GetBundleNamesData(const uint8_t *data, size_t size, vector &bundleNames) +{ + for (size_t i = 0; i < size; i++) { + string name = string(reinterpret_cast(data), size) + to_string(i); + if (size < sizeof(int64_t)) { + BIncrementalData data(name, 0); + bundleNames.push_back(data); + continue; + } + + int64_t nTime = *(reinterpret_cast(data)); + int32_t fd = *(reinterpret_cast(data)); + int32_t priority = *(reinterpret_cast(data + sizeof(int32_t))); + string parameters = string(reinterpret_cast(data), size) + to_string(size - i); + BIncrementalData data(name, nTime, fd, parameters, priority); + bundleNames.push_back(data); + } +} + +template +void WriteParcelableVector(const std::vector &parcelableVector, Parcel &data) +{ + if (!data.WriteUint32(parcelableVector.size())) { + return; + } + + for (const auto &parcelable : parcelableVector) { + if (!data.WriteParcelable(&parcelable)) { + return; + } + } + + return; +} + +bool CmdGetLocalCapabilitiesIncrementalFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + if (size > 0) { + vector bundleNames; + GetBundleNamesData(data, size, bundleNames); + WriteParcelableVector(bundleNames, datas); + } + + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + uint32_t code = static_cast(IServiceInterfaceCode::SERVICE_CMD_GET_LOCAL_CAPABILITIES_INCREMENTAL); + service->OnRemoteRequest(code, datas, reply, option); + service = nullptr; + return true; +} + +bool CmdInitIncrementalBackupSessionFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + BIncrementalBackupSession::Callbacks callbacks; + std::shared_ptr backupPtr = + std::make_shared(callbacks); + datas.WriteRemoteObject(backupPtr->AsObject().GetRefPtr()); + + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + uint32_t code = static_cast(IServiceInterfaceCode::SERVICE_CMD_INIT_INCREMENTAL_BACKUP_SESSION); + service->OnRemoteRequest(code, datas, reply, option); + service = nullptr; + return true; +} + +bool CmdAppendBundlesIncrementalBackupSessionFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + if (size > 0) { + vector bundleNames; + GetBundleNamesData(data, size, bundleNames); + WriteParcelableVector(bundleNames, datas); + } + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + uint32_t code = static_cast( + IServiceInterfaceCode::SERVICE_CMD_APPEND_BUNDLES_INCREMENTAL_BACKUP_SESSION); + service->OnRemoteRequest(code, datas, reply, option); + service = nullptr; + return true; +} + +bool CmdPublishIncrementalFileFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + if (size > 0) { + int pos = (size + 1) >> 1; + std::string fileName((const char *)data, pos); + std::string bundleName((const char *)data + pos, size - pos); + uint32_t sn = 0; + if (size > sizeof(uint32_t)) { + sn = *(reinterpret_cast(data)); + } + BFileInfo fileInfo(fileName, bundleName, sn); + datas.WriteParcelable(&fileInfo); + } + + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + uint32_t code = static_cast(IServiceInterfaceCode::SERVICE_CMD_PUBLISH_INCREMENTAL_FILE); + service->OnRemoteRequest(code, datas, reply, option); + service = nullptr; + return true; +} + +bool CmdAppIncrementalFileReadyFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + std::string fileName((const char *)data, size); + datas.WriteString(fileName); + if (size >= sizeof(int)) { + int fd = *(reinterpret_cast(data)); + datas.WriteFileDescriptor(UniqueFd(fd)); + } + + if (size >= sizeof(int) + sizeof(int)) { + int manifestId = *(reinterpret_cast(data + sizeof(int))); + datas.WriteFileDescriptor(UniqueFd(manifestId)); + } + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + uint32_t code = static_cast(IServiceInterfaceCode::SERVICE_CMD_APP_INCREMENTAL_FILE_READY); + service->OnRemoteRequest(code, datas, reply, option); + service = nullptr; + return true; +} + +bool CmdAppIncrementalDoneFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + if (size >= sizeof(int32_t)) { + datas.WriteInt32(*(reinterpret_cast(data))); + } + + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + service->OnRemoteRequest(static_cast(IServiceInterfaceCode::SERVICE_CMD_APP_INCREMENTAL_DONE), + datas, reply, option); + service = nullptr; + return true; +} + +bool CmdGetIncrementalFileHandleFuzzTest(const uint8_t *data, size_t size) +{ + MessageParcel datas; + datas.WriteInterfaceToken(ServiceStub::GetDescriptor()); + int pos = (size + 1) >> 1; + if (size > 0) { + datas.WriteString(string(reinterpret_cast(data), pos)); + } + + if (size > 1) { + datas.WriteString(string(reinterpret_cast(data + pos), size - pos)); + } + + datas.RewindRead(0); + MessageParcel reply; + MessageOption option; + + sptr service = sptr(new Service(SERVICE_ID)); + service->OnRemoteRequest(static_cast(IServiceInterfaceCode::SERVICE_CMD_GET_INCREMENTAL_FILE_NAME), + datas, reply, option); + service = nullptr; + return true; +} +} // namespace OHOS + +/* Fuzzer entry point */ +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) +{ + /* Run your code on data */ + if (data == nullptr) { + return 0; + } + + OHOS::CmdGetFileHandleFuzzTest(data, size); + OHOS::CmdAppendBundlesBackupSessionFuzzTest(data, size); + OHOS::CmdReleaseFuzzTest(data, size); + OHOS::CmdGetLocalCapabilitiesIncrementalFuzzTest(data, size); + OHOS::CmdInitIncrementalBackupSessionFuzzTest(data, size); + OHOS::CmdPublishIncrementalFileFuzzTest(data, size); + OHOS::CmdAppIncrementalFileReadyFuzzTest(data, size); + OHOS::CmdAppIncrementalDoneFuzzTest(data, size); + OHOS::CmdGetIncrementalFileHandleFuzzTest(data, size); + OHOS::CmdAppendBundlesIncrementalBackupSessionFuzzTest(data, size); + return 0; +} \ No newline at end of file diff --git a/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.h b/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.h new file mode 100644 index 000000000..f89e351e6 --- /dev/null +++ b/test/fuzztest/backupsaanother_fuzzer/backupsaanother_fuzzer.h @@ -0,0 +1,21 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef BACKUPSAANOTHER_FUZZER_H +#define BACKUPSAANOTHER_FUZZER_H + +#define FUZZ_PROJECT_NAME "backupsaanother_fuzzer" + +#endif \ No newline at end of file diff --git a/test/fuzztest/backupsaanother_fuzzer/corpus/init b/test/fuzztest/backupsaanother_fuzzer/corpus/init new file mode 100644 index 000000000..6198079a2 --- /dev/null +++ b/test/fuzztest/backupsaanother_fuzzer/corpus/init @@ -0,0 +1,16 @@ +/* + * Copyright (c) 2024 Huawei Device Co., Ltd. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +FUZZ \ No newline at end of file diff --git a/test/fuzztest/backupsaanother_fuzzer/project.xml b/test/fuzztest/backupsaanother_fuzzer/project.xml new file mode 100644 index 000000000..7133b2b92 --- /dev/null +++ b/test/fuzztest/backupsaanother_fuzzer/project.xml @@ -0,0 +1,25 @@ + + + + + + 1000 + + 300 + + 4096 + + -- Gitee